3dcbb454901ec7abac12a4ccd70ae4737003269f1fb2d93a7fcb115f62f4ec95 | Triage

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 16:27 UTC

Sharing

Report Analysis Logs

General

Target

d6950de30b17788894ae91f0fc276a5a.exe
Size

506KB
MD5

d6950de30b17788894ae91f0fc276a5a
SHA1

45e9524c62f38e6538b1504e0542ac361a07e818
SHA256

3dcbb454901ec7abac12a4ccd70ae4737003269f1fb2d93a7fcb115f62f4ec95
SHA512

a1a7f2cb73cecef6c5488fff571bcc3747ef7b09399778ef382d51c6ad0510618d99dd97d71fddbbc4290d30feadcddc26c893e68a379153af90624442cca137
SSDEEP

12288:ulSAk6QnICkx68EMzQVo2G+q2Rxp2mFcA0u9lyqZ6zTBLmVP6Dcr3eafsmZvnHTE:qSA1QbkxMMzQVo2G+q2R+he9EqZ6zTBZ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1756	d6950de30b17788894ae91f0fc276a5a.exe

Executes dropped EXE 1 IoCs

pid	Process
1756	d6950de30b17788894ae91f0fc276a5a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

flow	ioc
24	pastebin.com
26	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1756	d6950de30b17788894ae91f0fc276a5a.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
2908	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1756	d6950de30b17788894ae91f0fc276a5a.exe
1756	d6950de30b17788894ae91f0fc276a5a.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3308	d6950de30b17788894ae91f0fc276a5a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3308	d6950de30b17788894ae91f0fc276a5a.exe
1756	d6950de30b17788894ae91f0fc276a5a.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3308 wrote to memory of 1756	3308	d6950de30b17788894ae91f0fc276a5a.exe	88
PID 3308 wrote to memory of 1756	3308	d6950de30b17788894ae91f0fc276a5a.exe	88
PID 3308 wrote to memory of 1756	3308	d6950de30b17788894ae91f0fc276a5a.exe	88
PID 1756 wrote to memory of 2908	1756	d6950de30b17788894ae91f0fc276a5a.exe	93
PID 1756 wrote to memory of 2908	1756	d6950de30b17788894ae91f0fc276a5a.exe	93
PID 1756 wrote to memory of 2908	1756	d6950de30b17788894ae91f0fc276a5a.exe	93

C:\Users\Admin\AppData\Local\Temp\d6950de30b17788894ae91f0fc276a5a.exe
"C:\Users\Admin\AppData\Local\Temp\d6950de30b17788894ae91f0fc276a5a.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Users\Admin\AppData\Local\Temp\d6950de30b17788894ae91f0fc276a5a.exe
  C:\Users\Admin\AppData\Local\Temp\d6950de30b17788894ae91f0fc276a5a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\d6950de30b17788894ae91f0fc276a5a.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2908

Network

DNS

www.UNPrEvMxPC.com

d6950de30b17788894ae91f0fc276a5a.exe

Remote address:

8.8.8.8:53

Request

www.UNPrEvMxPC.com

IN A

Response
DNS

www.UNPrEvMxPC.com

d6950de30b17788894ae91f0fc276a5a.exe

Remote address:

8.8.8.8:53

Request

www.UNPrEvMxPC.com

IN A
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR
DNS

71.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.31.126.40.in-addr.arpa

IN PTR

Response
DNS

71.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.31.126.40.in-addr.arpa

IN PTR
DNS

w.google.com

d6950de30b17788894ae91f0fc276a5a.exe

Remote address:

8.8.8.8:53

Request

w.google.com

IN A

Response

w.google.com

IN CNAME

www3.l.google.com

www3.l.google.com

IN A

142.250.179.206
GET

http://w.google.com/

d6950de30b17788894ae91f0fc276a5a.exe

Remote address:

142.250.179.206:80

Request

GET / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*, ???@, ??????????????
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Host: w.google.com

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=UTF-8
Referrer-Policy: no-referrer
Content-Length: 1561
Date: Tue, 19 Mar 2024 16:27:46 GMT
DNS

pastebin.com

d6950de30b17788894ae91f0fc276a5a.exe

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A

Response

pastebin.com

IN A

104.20.68.143

pastebin.com

IN A

104.20.67.143

pastebin.com

IN A

172.67.34.170
GET

http://pastebin.com/raw/ubFNTPjt

d6950de30b17788894ae91f0fc276a5a.exe

Remote address:

104.20.68.143:80

Request

GET /raw/ubFNTPjt HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*, ???@, ??????????????
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Host: pastebin.com

Response

HTTP/1.1 301 Moved Permanently

Date: Tue, 19 Mar 2024 16:27:46 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Tue, 19 Mar 2024 17:27:46 GMT
Location: https://pastebin.com/raw/ubFNTPjt
Server: cloudflare
CF-RAY: 866ed4edea5823be-LHR
GET

https://pastebin.com/raw/ubFNTPjt

d6950de30b17788894ae91f0fc276a5a.exe

Remote address:

104.20.68.143:443

Request

GET /raw/ubFNTPjt HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*, ???@, ??????????????
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Host: pastebin.com

Response

HTTP/1.1 404 Not Found

Date: Tue, 19 Mar 2024 16:27:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-frame-options: DENY
x-frame-options: DENY
x-content-type-options: nosniff
x-content-type-options: nosniff
x-xss-protection: 1;mode=block
x-xss-protection: 1;mode=block
cache-control: public, max-age=1801
CF-Cache-Status: HIT
Age: 18
Server: cloudflare
CF-RAY: 866ed4ef4ebe6511-LHR
DNS

207.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

207.178.17.96.in-addr.arpa

IN PTR

Response

207.178.17.96.in-addr.arpa

IN PTR

a96-17-178-207deploystaticakamaitechnologiescom
DNS

206.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.179.250.142.in-addr.arpa

IN PTR

Response

206.179.250.142.in-addr.arpa

IN PTR

ams15s42-in-f141e100net
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR

Response
DNS

143.68.20.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

143.68.20.104.in-addr.arpa

IN PTR

Response
DNS

64.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

64.159.190.20.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

195.177.78.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.177.78.104.in-addr.arpa

IN PTR

Response

195.177.78.104.in-addr.arpa

IN PTR

a104-78-177-195deploystaticakamaitechnologiescom
DNS

183.142.211.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.142.211.20.in-addr.arpa

IN PTR

Response
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR

Response
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR

Response

18.134.221.88.in-addr.arpa

IN PTR

a88-221-134-18deploystaticakamaitechnologiescom
DNS

201.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

201.178.17.96.in-addr.arpa

IN PTR

Response

201.178.17.96.in-addr.arpa

IN PTR

a96-17-178-201deploystaticakamaitechnologiescom
DNS

33.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

33.134.221.88.in-addr.arpa

IN PTR

Response

33.134.221.88.in-addr.arpa

IN PTR

a88-221-134-33deploystaticakamaitechnologiescom
DNS

206.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.178.17.96.in-addr.arpa

IN PTR

Response

206.178.17.96.in-addr.arpa

IN PTR

a96-17-178-206deploystaticakamaitechnologiescom
DNS

185.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

185.178.17.96.in-addr.arpa

IN PTR

Response

185.178.17.96.in-addr.arpa

IN PTR

a96-17-178-185deploystaticakamaitechnologiescom
DNS

185.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

185.178.17.96.in-addr.arpa

IN PTR

Response

185.178.17.96.in-addr.arpa

IN PTR

a96-17-178-185deploystaticakamaitechnologiescom
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR
DNS

189.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

189.178.17.96.in-addr.arpa

IN PTR

Response

189.178.17.96.in-addr.arpa

IN PTR

a96-17-178-189deploystaticakamaitechnologiescom
DNS

189.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

189.178.17.96.in-addr.arpa

IN PTR

Response

189.178.17.96.in-addr.arpa

IN PTR

a96-17-178-189deploystaticakamaitechnologiescom
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR

Response

217.135.221.88.in-addr.arpa

IN PTR

a88-221-135-217deploystaticakamaitechnologiescom
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR

Response

217.135.221.88.in-addr.arpa

IN PTR

a88-221-135-217deploystaticakamaitechnologiescom
DNS

40.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

40.134.221.88.in-addr.arpa

IN PTR

Response

40.134.221.88.in-addr.arpa

IN PTR

a88-221-134-40deploystaticakamaitechnologiescom
DNS

40.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

40.134.221.88.in-addr.arpa

IN PTR
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR

Response
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418550_1B8YD3DMBL24NYO16&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418550_1B8YD3DMBL24NYO16&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 281287
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 932A48F577FA45CAB3FA1FF77238772F Ref B: LON04EDGE0910 Ref C: 2024-03-19T16:29:28Z
date: Tue, 19 Mar 2024 16:29:28 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301075_1EVAVP8NT46RWGGT8&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301075_1EVAVP8NT46RWGGT8&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 449324
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3B365A20B52E4EF3BBB28C791AB1BD5B Ref B: LON04EDGE0910 Ref C: 2024-03-19T16:29:28Z
date: Tue, 19 Mar 2024 16:29:28 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301508_1C46JYBQTKFOJ8JCV&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301508_1C46JYBQTKFOJ8JCV&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 427995
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3FF59AC5B7A441C8AF41E61FCB9A6259 Ref B: LON04EDGE0910 Ref C: 2024-03-19T16:29:28Z
date: Tue, 19 Mar 2024 16:29:28 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418549_1ZU8FEFK0ERHP4923&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418549_1ZU8FEFK0ERHP4923&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 285024
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 565EFC0E63EA4BBE9A88BC42482DAABA Ref B: LON04EDGE0910 Ref C: 2024-03-19T16:29:28Z
date: Tue, 19 Mar 2024 16:29:28 GMT
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

90.16.208.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

90.16.208.104.in-addr.arpa

IN PTR

Response
DNS

90.16.208.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

90.16.208.104.in-addr.arpa

IN PTR

Response

142.250.179.206:80

http://w.google.com/

http

d6950de30b17788894ae91f0fc276a5a.exe

462 B
1.9kB
5
4

HTTP Request

GET http://w.google.com/

HTTP Response

404
104.20.68.143:80

http://pastebin.com/raw/ubFNTPjt

http

d6950de30b17788894ae91f0fc276a5a.exe

474 B
424 B
5
3

HTTP Request

GET http://pastebin.com/raw/ubFNTPjt

HTTP Response

301
104.20.68.143:443

https://pastebin.com/raw/ubFNTPjt

tls, http

d6950de30b17788894ae91f0fc276a5a.exe

953 B
4.6kB
9
8

HTTP Request

GET https://pastebin.com/raw/ubFNTPjt

HTTP Response

404
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.4kB
8.5kB
18
13
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.4kB
9.9kB
19
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239340418549_1ZU8FEFK0ERHP4923&pid=21.2&w=1920&h=1080&c=4

tls, http2

52.6kB
1.5MB
1095
1088

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418550_1B8YD3DMBL24NYO16&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301075_1EVAVP8NT46RWGGT8&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301508_1C46JYBQTKFOJ8JCV&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418549_1ZU8FEFK0ERHP4923&pid=21.2&w=1920&h=1080&c=4

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.4kB
8.5kB
18
13

8.8.8.8:53

www.UNPrEvMxPC.com

dns

d6950de30b17788894ae91f0fc276a5a.exe

128 B
137 B
2
1

DNS Request

www.UNPrEvMxPC.com

DNS Request

www.UNPrEvMxPC.com
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

209.205.72.20.in-addr.arpa

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

71.31.126.40.in-addr.arpa

dns

142 B
157 B
2
1

DNS Request

71.31.126.40.in-addr.arpa

DNS Request

71.31.126.40.in-addr.arpa
8.8.8.8:53

w.google.com

dns

d6950de30b17788894ae91f0fc276a5a.exe

58 B
95 B
1
1

DNS Request

w.google.com

DNS Response

142.250.179.206
8.8.8.8:53

pastebin.com

dns

d6950de30b17788894ae91f0fc276a5a.exe

58 B
106 B
1
1

DNS Request

pastebin.com

DNS Response

104.20.68.143

104.20.67.143

172.67.34.170
8.8.8.8:53

207.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

207.178.17.96.in-addr.arpa
8.8.8.8:53

206.179.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

206.179.250.142.in-addr.arpa
8.8.8.8:53

241.154.82.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.154.82.20.in-addr.arpa
8.8.8.8:53

143.68.20.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

143.68.20.104.in-addr.arpa
8.8.8.8:53

64.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

64.159.190.20.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

195.177.78.104.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

195.177.78.104.in-addr.arpa
8.8.8.8:53

183.142.211.20.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

183.142.211.20.in-addr.arpa
8.8.8.8:53

119.110.54.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

119.110.54.20.in-addr.arpa
8.8.8.8:53

18.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

18.134.221.88.in-addr.arpa
8.8.8.8:53

201.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

201.178.17.96.in-addr.arpa
8.8.8.8:53

33.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

33.134.221.88.in-addr.arpa
8.8.8.8:53

206.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

206.178.17.96.in-addr.arpa
8.8.8.8:53

185.178.17.96.in-addr.arpa

dns

144 B
274 B
2
2

DNS Request

185.178.17.96.in-addr.arpa

DNS Request

185.178.17.96.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

213 B
157 B
3
1

DNS Request

198.187.3.20.in-addr.arpa

DNS Request

198.187.3.20.in-addr.arpa

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

217.135.221.88.in-addr.arpa

dns

146 B
278 B
2
2

DNS Request

217.135.221.88.in-addr.arpa

DNS Request

217.135.221.88.in-addr.arpa
8.8.8.8:53

189.178.17.96.in-addr.arpa

dns

144 B
274 B
2
2

DNS Request

189.178.17.96.in-addr.arpa

DNS Request

189.178.17.96.in-addr.arpa
8.8.8.8:53

40.134.221.88.in-addr.arpa

dns

144 B
137 B
2
1

DNS Request

40.134.221.88.in-addr.arpa

DNS Request

40.134.221.88.in-addr.arpa
8.8.8.8:53

31.243.111.52.in-addr.arpa

dns

144 B
316 B
2
2

DNS Request

31.243.111.52.in-addr.arpa

DNS Request

31.243.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

124 B
346 B
2
2

DNS Request

tse1.mm.bing.net

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

146 B
212 B
2
2

DNS Request

200.197.79.204.in-addr.arpa

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

90.16.208.104.in-addr.arpa

dns

144 B
292 B
2
2

DNS Request

90.16.208.104.in-addr.arpa

DNS Request

90.16.208.104.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d6950de30b17788894ae91f0fc276a5a.exe

Filesize
506KB

MD5
961b522f2241f5d97e0575f90d0dff11

SHA1
30282a96570d5ceed02d99126d6d8b682feda7b7

SHA256
c28776a9658d1cd9ae5ad8db22b499bf61f086f1f6e640190eb7c2f3d3663baa

SHA512
d4d0667964e5952104b3075c1efe4c6c9501ca17bf531bfc52af67229db651909ad1612b659b312291a586f9067fdab9d650950c095bc49c4306d2537c9cf5c7

Download Submit
memory/1756-14-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1756-17-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/1756-20-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1756-21-0x0000000004F90000-0x000000000500E000-memory.dmp

Filesize
504KB

Download
memory/1756-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3308-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3308-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/3308-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3308-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download